-
Be the first to like this
Upcoming SlideShare
A Strategy for Addressing Cyber Security Challenges
- 1. A Strategy for Addressing Cyber Security Challenges Mustaque Ahamad Professor of Computer Science, Georgia Ins>tute of Technology Global Professor of Engineering, New York University Abu Dhabi Co-‐founder and Chief Scien>st, Pindrop Security
- 2. A Couple of Observa>ons • Cyber security has become an extremely important problem for people, businesses and governments. • Addressing cyber security challenges presents serious challenges. • Cyber now reaches into cri>cal physical systems. • Cyber security is going to be a journey, not a des>na>on.
- 3. Are Things Really Bad? • Growing sophis>ca>on of the threat landscape – Cyber criminals, hack>vits, terrorists and na>on-‐states – Cyber crime costs are reaching half a trillion dollars (In India, 0.21% of GDP, McAfee 2014 Report) – Greatest transfer of wealth (Keith Alexander, hXp://foreignpolicy.com/2012/07/09/nsa-‐chief-‐cybercrime-‐cons>tutes-‐the-‐greatest-‐transfer-‐of-‐wealth-‐in-‐history/ ) • Complex technology ecosystem – “Reflec>ons on trus>ng trust” • People, processes and coordina>on across mul>ple stakeholders
- 4. Threats + Vulnerabili>es => AXacks • Can we make threats go away? • AXribu>on is extremely difficult • Global and transna>onal • How can we address vulnerabili>es? • Security errors in sofware (over 1700 entries in NVD in last 3 months) • Asymmetry – aXackers only need to find one bug, we need to fix all • People are weak links • Only higher assurance, no perfect security – Stronger preven>on and early detec>on – Faster recovery and remedia>on
- 5. So, What Can We Do? • Educa>on – Developing the “security mindset” – Undergraduate and graduate programs • Research – Rapidly evolving field • Policy, legal and regula>on – It is much more than technology
- 6. Educa>ng Cyber Security Professionals • US Na>onal Ini>a>ve for Cybersecurity Educa>on (NICE) hXp://csrc.nist.gov/nice/framework/
- 7. Capacity Building for Educa>ng Cyber Security Professionals • What do we do? – Undergraduate or graduate programs? – Integra>ng security concepts in CS curriculum? – Voca>onal programs? • How do we do it? – So, where do we find cyber security faculty? – Developing hands on projects and laboratories • US Response – Centers of Excellence Program (NSA/DHS) – Scholarship-‐for-‐Service (SFS) Program) – NSF SaTC Educa>on Projects • Curriculum development, sharing, workshops etc.
- 8. Research Capacity Building • Evolving threat landscape and rapidly changing technologies – Gelng ahead of emerging threats – “Test and verify” rather than “trust but verify” • Diverse set of research challenges – Trustworthiness of technology to human dimension • Real-‐world impact of research – Tech transfer and commercializa>on
- 9. Example I: Malware Analysis • Scalable malware analysis system processes approximately 250K samples a day • Extrac>ng features from communica>on paXerns • Big data due to deep packet analysis and event volume • Machine learning for aXribu>on • Visualiza>on and ac>onable intelligence Mariposa Botnet Tracking and Takedown
- 10. Example II: Data-‐Driven Cyber Risk • Collect cyber risk relevant data from mul>ple sources – Vulnerabili>es – Exploit kits and malware – AXack data (public and private) • Analy>cs and visualiza>on – Lean back and lean forward Calendar view of reported vulnerabili>es
- 11. Na>onal R&D Strategy: US Example • Na>onal Science Founda>on Secure and Trustworthy (SaTC) – Launched afer developing a na>onal strategy ( hXps://www.whitehouse.gov/sites/default/files/microsites/ostp/fed_cybersecurity_rd_strategic_plan_2011.pdf) – Interdisciplinary including behavioral and economic aspects • DHS, DARPA and NSA Ini>a>ves – Cri>cal infrastructure security (CPS) – Resilient and transparent compu>ng – Science of security • Networking and Informa>on Technology Research and Development (NITRD) Program – Coordinated across mul>ple agencies – High level goal is to maintain US technological leadership in this field
- 12. Cyber Security Policy • Policy development is as important as best technical safeguards • Should companies and government agencies required to prac>ce certain level of cyber hygiene? • Informa>on sharing and coordina>on • Privacy • Legal and enforcement issues
- 13. Lessons Learned • Educa>on capacity building – Aggressively support centers like CERC IIIT Delhi – CS curriculum needs to be augmented with cyber security offerings at all levels – “Educa>ng the educators” – summer schools, workshops and hosted programs – What do we do about faculty? • Incen>ves for CS faculty members to shif/expand their research into cyber security • Be crea>ve (professor of prac>ce, global professor etc.)
- 14. Lessons Learned Contd. • Research capacity building – You cannot be a major player without a strong research base • How many papers at security conferences from India? – Launch/seed a few ambi>ous (and high risk) research projects like NSF’s fron>ers – Start/get security conferences to India to grow the community – Applied research exper>se • Cannot only rely on security vendor professionals for crisis handling • CDC for cyber, CERT 2.0? – Coordina>on across Na>onal Labs, DRDO?? – Home grown cyber security companies??
- 15. Lessons Learned Contd. • Cyber security is much more than technology – Policy, regulatory and legal dimensions – Cyber security maturity model and best prac>ces – Preparedness assessment – Conversa>ons at the highest level (WEF ini>a>ve) – Informa>on sharing, coordina>on and mutual aid – Informal trust networks
- 16. Conclusions • Cyber risk ranks among the top global risks (2015 WEF Global risks report) • Na>onal response is of cri>cal importance • Need to move at “network speed” • It is all about capacity building • Ignore research at your own peril
Be the first to comment